Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 3.3.x (latest)
  • 3.2.x
  • 3.1.x
  • 3.0.x
  • 2.8.x
  • 2.7.x
  • 2.6.x
  • Older Enterprise versions (2.1-2.5)
  • Older OSS versions (2.1-2.5)
  • Archive (pre-2.1)

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this pageOn this page
  • kong.client.tls.request_client_certificate([ca_certs])
  • kong.client.tls.disable_session_reuse()
  • kong.client.tls.get_full_client_certificate_chain()
  • kong.client.tls.set_client_verify()
Kong Gateway
3.2.x
  • Home
  • Kong Gateway
  • Plugin Development
  • PDK
  • kong.client.tls
You are browsing documentation for an outdated version. See the latest documentation here.

kong.client.tls

Client TLS connection module.

A set of functions for interacting with TLS connections from the client.

kong.client.tls.request_client_certificate([ca_certs])

Requests the client to present its client-side certificate to initiate mutual TLS authentication between server and client.

This function requests, but does not require the client to start the mTLS process. The TLS handshake can still complete even if the client doesn’t present a client certificate. However, in that case, it becomes a TLS connection instead of an mTLS connection, as there is no mutual authentication.

To find out whether the client honored the request, use get_full_client_certificate_chain in later phases.

The ca_certs argument is the optional CA certificate chain opaque pointer, which can be created by the parse_pem_cert or resty.opensslx509.chain The Distinguished Name (DN) list hints of the CA certificates will be sent to clients. If omitted, will not send any DN list to clients.

Phases

  • certificate

Parameters

  • ca_certs (cdata, optional): The CA certificate chain opaque pointer

Returns

  1. true|nil: Returns true if successful, or nil if it fails.
  2. nil|err: Returns nil if successful, or an error message if it fails.

Usage

local x509_lib = require "resty.openssl.x509"
local chain_lib = require "resty.openssl.x509.chain"
local res, err
local chain = chain_lib.new()
-- err check
local x509, err = x509_lib.new(pem_cert, "PEM")
-- err check
res, err = chain:add(x509)
-- err check
-- `chain.ctx` is the raw data of the chain, i.e. `STACK_OF(X509) *`
res, err = kong.client.tls.request_client_certificate(chain.ctx)
if not res then
  -- do something with err
end

kong.client.tls.disable_session_reuse()

Prevents the TLS session for the current connection from being reused by disabling the session ticket and session ID for the current TLS connection.

Phases

  • certificate

Returns

  1. true|nil: Returns true if successful, nil if it fails.

  2. nil|err: Returns nil if successful, or an error message if it fails.

Usage

local res, err = kong.client.tls.disable_session_reuse()
if not res then
  -- do something with err
end

kong.client.tls.get_full_client_certificate_chain()

Returns the PEM encoded downstream client certificate chain with the client certificate at the top and intermediate certificates (if any) at the bottom.

Phases

  • rewrite, access, balancer, header_filter, body_filter, log

Returns

  1. string|nil: Returns a PEM-encoded client certificate if the mTLS handshake was completed, or nil if an error occurred or the client did not present its certificate.

  2. nil|err: Returns nil if successful, or an error message if it fails.

Usage

local cert, err = kong.client.get_full_client_certificate_chain()
if err then
  -- do something with err
end

if not cert then
  -- client did not complete mTLS
end

-- do something with cert

kong.client.tls.set_client_verify()

Overrides the client’s verification result generated by the log serializer.

By default, the request.tls.client_verify field inside the log generated by Kong’s log serializer is the same as the $ssl_client_verify Nginx variable.

Only "SUCCESS", "NONE", or "FAILED:<reason>" are accepted values.

This function does not return anything on success, and throws a Lua error in case of a failure.

Phases

  • rewrite, access, balancer

Usage

kong.client.tls.set_client_verify("FAILED:unknown CA")
Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023